Index: 1.

0
Use Case: Introduction
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Welcome
to the
Constructing a Secure SD-WAN Architecture Lab

In this Fast Track, you implement SD-WAN via FortiManager to remotely setup IPSEC VPN
tunnels between headquarter’s datacenter and two branch offices. You then setup SD-WAN on
the two branch FortiGate devices at the same time.
Index: 1.0 (a)
Use Case: Introduction
Objective Title: Topology
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Network Topology
The lab environment represents a fictional company, AcmeCorp. It has a headquarters (HQ)
data center and two branch offices (Branch 1 and Branch 2). Previously, AcmeCorp backhauled
all the internet traffic from the branch offices to HQ for processing. Now, due to the use of
cloud-based solutions increasing and leased lines becoming more expensive, AcmeCorp is
deploying FortiGate devices at the branch offices to allow direct connectivity to the internet, as
well as using internet service provider (ISP) links to augment the multiprotocol label switching
(MPLS) leased line to HQ.

A FortiManager and a FortiVoice appliance are installed in the HQ Data Center. The Fortifone
software is also installed on all of the workstations.
Index: 1.0 (b)
Use Case: Introduction
Objective Title: Agenda
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Agenda

Topic Time
Lab 1: Introduction – Topology and Agenda 2 Minutes
Lab 2: Configuring SD-WAN via FortiManager 30 Minutes
Index: 2.0
Use Case: Configure SD-WAN via FortiManager
Objective Title: Configure SD-WAN via FortiManager
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Configure SD-WAN via FortiManager

Currently, AcmeCorp backhauls all the internet traffic from the branch offices to HQ for
processing. They want to deploy FortiGate devices at the branch offices to allow direct
connectivity to the internet. This will not only offload much of the traffic off of the
multiprotocol label switching (MPLS) leased line, but the internet service provider (ISP) link will
also act as a backup for the MPLS link.

In this exercise, you use FortiManager to remotely configure SD-WAN between the branch
offices and HQ. You will also create an SD-WAN zone to control local internet breakout.
Index: 2.0 (a)
Use Case: Configure SD-WAN via FortiManager
Objective Title: Setting up IPsec VPN
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Setting up IPsec VPN

Background
AcmeCorp is using FortiManager to centrally provision and manage its devices. At the
headquarters (HQ) in Sunnyvale, AcmeCorp has a core FortiGate (FGT-HQ). There are currently
two FortiGate devices that are operational but not fully configured at branch offices in Ottawa
and New York (FGT-BR1 and FGT-BR2). AcmeCorp deployed FortiGate devices at the branches
to allow the use of the ISP link to augment their MPLS leased line to HQ.
As it will be using the internet as part of its connections between HQ and the branches, they
will be implementing VPNs. As such, AcmeCorp needs to add an IPsec VPN over its internet link
to HQ from the Branches. FortiManager allows centralized management of VPNs, which
includes configuring the VPNs as well as monitoring the VPNs.

Task
For this objective, we will be working on the FortiManager. From the Lab Activity tab, click
FortiManager in the side bar lab menu, then select HTTPS to connect to the FortiManager.
Log in using the following credentials:
Username: admin Password: Fortinet1!

A VPN community (HQVPN) is already configured. To view this community on the

FortiManager, click VPN Manager > IPsec VPN and select HQVPN.

Your goal for this objective is to add the FortiGate devices ( FGT-HQ, FGT-BR1, and FGT-BR2 ) to
the community.

Add Devices to VPN Community

Use the following steps to add devices to the VPN community:

1. Click VPN Manager > IPsec VPN.
2. In the tree menu on the left, expand All VPN Communities, then click HQVPN.
3. Click Create New and select Managed Gateway from the drop-down menu.

4. When the wizard opens, select all for the Protected Subnet and click OK.
5. Click Next.

6. For Role, select Hub and for Device, select FGT-HQ.

7. Click Next.
8. For Default VPN Interface, select ISP_1 (a dynamic interface that was previously
configured).
9. Click Next.

10. Leave Local Gateway blank.

11. Click Next.
12. For Advanced Options, leave the default values and click OK.

13. Create two additional managed gateway policies to add FGT-BR1 and FGT-BR2. Set Role to
Spoke and Device to the appropriate branch FortiGate. Use the same settings as the first
managed gateway policy for the rest of the configuration.
14. When you have configured all three gateway policies, your screen should look like this:
Index: 2.0 (b)
Use Case: Configure SD-WAN via FortiManager
Objective Title: Installing the Managed Gateway Policies
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Installing the Managed Gateway Policies

Background
Now that you have the managed gateway policy packages created, you need to install them
onto the appropriate FortiGate.

Task:
Your goal for this objective is to install the hub package on FGT-HQ, and the spoke packages on
FGT-BR1 and FGT-BR2. For all three devices, use the Install Policy Package & Device Settings
option.

Push Gateway Policies

Use the following steps to install the managed gateway policies:
1. Click Install Wizard.

2. Click Install Policy Package & Device Settings and set Policy Package to FG-HQ. Click Next.
3. Verify that FGT-HQ is selected and click Next.

4. After Installation Preparation completes, click Install.

5. After the installation completes, click Finish.

6. Use the installation wizard again to install the FG-Branch policy on FGT-BR1 and FGT-BR2.

Monitor View

1. Once you have installed the policy, click VPN Manager > Monitor. You can see that the
tunnels are all up.

2. Click Map View to show the tunnels on a world map (if the map does not appear after
about 30 seconds, press F5 to refresh the page).

3. Click Traffic View to see network traffic flowing between the protected subnets.
Index: 2.0 (c)
Use Case: Configure SD-WAN via FortiManager
Objective Title: VPN Tunnel Endpoints
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

0VPN Tunnel Endpoints

Background
To complete the IPsec VPN configuration, you need to configure the tunnel endpoint addresses
(you can find them in the interface pages from the devices in Device Manager > Device &
Groups).

Task
Your goal for this objective is to edit the IPsec tunnel endpoints

Set Tunnel Endpoints

Use the following steps to set the tunnel endpoint addresses:

1. Click Device Manager > Device & Groups.

2. Under Managed Devices in the lower left hand pane, click FGT-BR1.
3. Select Interface from the System drop-down menu and edit HQVPN_1.
4. In the Address section, set IP/Network to 10.10.1.2/32 and Remote IP to
10.10.1.1/32.

5. Click OK.
6. Under Managed Devices, click FGT-BR2.
7. Edit HQVPN_1.
8. In the Address section, set IP/Network to 10.10.2.2/32 and Remote IP to
10.10.2.1/32.
9. Click OK.
10. Under Managed Devices, click FGT-HQ.
11. Edit HQVPN_2.
12. In the Address section, set IP/Network to 10.10.1.1/32 and Remote IP to
10.10.1.2/32.

13. Click OK.

14. Edit HQVPN_3.
15. In the Address section, set IP/Network to 10.10.2.1/32 and Remote IP to
10.10.2.2/32.
16. Click OK.

Push Configurations

1. To push the configuration on to the FortiGate devices, click on Install Wizard.

2. Select Install Device Settings (only)
3. Click Next.
4. Confirm that all three devices are selected
5. Click Next.

6. After the Installation Preparation completes, click Install

7. When the installation is complete, click Finish.
Index: 2.0 (d)
Use Case: Configure SD-WAN via FortiManager
Objective Title: Creating an SD-WAN Template
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Creating an SD-WAN Template

Background

AcmeCorp wants to use both the MPLS leased line and the IPsec links you previously created to
route traffic back to HQ when the branch offices need to utilize corporate resources.
Along with VPNs, you can also centrally manage SD-WAN from FortiManager. For this lab,
SD-WAN is already enabled in System Settings.

Task
Your goal for this objective is to set up SD-WAN by creating a new SD-WAN template.

SD-WAN Template

Use the following steps to create an SD-WAN template:

1. Click Device Manager > SD-WAN.
2. Click SD-WAN Templates and click Create New.
3. Set Name as Template_1.

Interface Members
1. In the Interface member section, click Create New > SD-WAN Member.

2. Select MPLS as a member and click OK.

3. Repeat the steps above and add VPN and ISP_1 as members to the virtual-wan-link SD-WAN
Zone.

SD-WAN Zone for Internet Breakout

 SD-WAN zones are a way of logically grouping the SD-WAN interface members. They can
then be used in firewall policies to allow for more granular control.
1. Still in the Interface Member section, click Create New > SD-WAN Zone.
2. Set Name as Internet_Access.
3. Select ISP_1 as the Interface member.

4. Click OK

Performance SLA

1. In the Performance SLA section, click Create New.

2. Set Name to HQ_SLA.
3. Leave the Detect Protocol set to PING.
4. Select HealthCheck-Server from the Detect Server list.
5. Leave Participants set to Specify, and add both MPLS and VPN as members.
6. In the SLA section, click Create New.
7. Enter 10 for each threshold.
8. Click OK to save the SLA.
9. Click OK again to save all settings.

SD-WAN Rule for HQ Traffic

This rule will guide all traffic intended for the main office (FG-HQ) through the MPLS link, while
using the VPN for backup in the event the MPLS link goes down.

1. Click Create New in the SD-WAN Rules section.

2. Set Name as HQ_Rule_1.
3. Set Source Address to all.
4. Set Destination Address to HQ_Networks.
5. Set Outgoing Interface Strategy to Lowest Cost (SLA).
6. For Interface Preference, select MPLS and VPN.
7. Set Required SLA Target to HQ_SLA#1.

8. Click OK to complete the rule.

SD-WAN Rule for Internet Traffic

This rule will direct any traffic not intended for HQ to the ISP_1 interface, allowing direct
internet access.

1. Click Create New again in the SD-WAN Rules section.

2. Set Name as Internet.
3. Set Source Address and Destination Address to all.
Note: You can create rules for specific applications or internet services (for example,
Microsoft Office 365, Salesforce, Microsoft Teams, Amazon, or Dropbox) but for the
4. Set Outgoing Interface Strategy to Manual.
5. For Interface Preference, select ISP_1.
6. Click OK.
7. Click OK again to complete the SD-WAN template.
Index: 2.0 (e)
Use Case: Configure SD-WAN via FortiManager
Objective Title: Assign and Install the Template
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Assign and Install the Template

Background
Now that you have created the SD-WAN template, you can assign the template to the branch FortiGate
devices and install it.

Task
Your goal for this objective is to assign the SD-WAN template to the branch FortiGate devices and push
the install.

Assign Devices to Template

Use the following steps to assign and install the SD-WAN template:

1. Select Template_1 and click Assigned Devices.

2. Select FGT-BR1 and FGT-BR2 and move them to the Selected Entries column.
3. Click OK.

Push the configurations to Devices

1. Click Install Wizard.

2. Select Install Device Settings (only) and click Next.

3. Confirm that both FGT-BR1 and FGT-BR2 are selected and click Next.
4. When prompted, click Install.
5. When the installation is finished, click Finish.

Monitor the SD-WAN

1. To monitor the SD-WAN, click the SD-WAN tab and select Monitor.
2. Click Map View (if the map does not appear after about 30 seconds, press F5 to refresh the
page).
This view displays SD-WAN enabled devices on Google Map with color-coded icons. You can
view bandwidth usage on the right. If you hover over an interface, you can view health
performance statistics for each SD-WAN link member.

3. Click Table View. This view provides information on each SD-WAN link member, such as link
status, applications performance, and bandwidth usage.
Index: 2.0 (f)
Use Case: Configure SD-WAN via FortiManager
Objective Title: Edit Default Route
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Edit Default Route

Background

Now that you have the basic SD-WAN configurations done and installed on the devices, you still
need to alter the default route to use the SD-WAN virtual interface on the two branch FortiGate
devices.

Tasks
In this exercise, you edit the default route on the branch devices to use the SD-WAN virtual
interface as the egress interface.

Edit the Default Route

1. Navigate to Device Manager > Devices & Groups.

2. Select FGT-BR1 from the left hand pane.
3. Select Static routes from the Router menu.

4. Select the default route [ Destination: 0.0.0.0/0.0.0.0,

Gateway:10.100.0.101 , port5(MPLS) ] and click Edit.
 5. Change Device option to SD-WAN.

6. Click OK.

7. Select FGT-BR2 and edit its default route to use SD-WAN.

Push Policies

1. Click Install Wizard.

2. Click Install Policy Package & Device Settings and set Policy Package to FG-Branch. Click
Next.

3. Confirm that both branch devices are selected and click Next.
4. After Installation Preparation completes, click Install.
5. After the installation completes, click Finish.
Index: 2.0 (g)
Use Case: Configure SD-WAN via FortiManager
Objective Title: Examining the Configurations
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Examining the Configurations

Task
In this objective, you will have a look at the settings that FortiManager pushed out to the FortiGates.

Verify configurations pushed to FGT-BR1

1. Return to Lab Activity tab, click on FGT-BR1 on the sidebar menu, and select the HTTPS
option.
Username: admin Password: Fortinet1!

2. You are presented with a warning that this FortiGate is managed by FortiManager. Select
Login Read-Only.

3. Click Dashboard > Network. Notice that the IPsec widget lists the HQVPN_1 tunnel and
there are 10 routes in the Routing widget.
4. Click on the Routing widget to inspect the routes.

SD-WAN settings
1. Click Network > SD-WAN Zones.
2. Expand the zones to display the member interfaces.

3. Click Network > SD-WAN Rules

 4. Review the two rules that you created. The checkmark next to the interface member
indicates which interface the rule is currently favoring to pass traffic through. In the
above screenshot, any traffic destined to HQ uses the MPLS lines (with HQVPN_1 as
backup) and all other traffic flows through the local internet breakout.
5. Click Dashboard > FortiView Sessions.
6. Right Click on any session, and select End All Sessions

7. Click OK.

Generate traffic

1. Return to the Lab Activity tab and click on Bob (in Finance), then select the RDP option
to access Bob’s workstation.

2. Open FortiFone .
3. Likewise, click on Carol (in Branch 1) then select RDP to access her workstation.
4. Open Terminal and ping 172.16.100.135.
5. After a few pings, press Ctrl C and then ping 8.8.8.8.

3. Open FortiFone .

4. Dial 5051 and click the green phone button.

5. Return to the browser tab for Bob’s workstation.
6. Click on the green phone icon to answer the phone.
7. Return to FGT-BR1 and Click Dashboard > FortiView Sessions.
8. Right-click one of the column headings.

9. Deselect the following to clean things up:

Device

Source Port

Destination Port

Bytes

Packets

Duration
10. Select Destination Interface and Source Interface.
11. Click Apply.
12. Notice that the ping (ICMP) to 172.16.100.135 and the softphone (both traffic going
back to the HQ ) are directed through the MPLS interface, and the ping to 8.8.8.8 (internet)
is going out the local internet breakout.
Note: Other applications on the Ubuntu device may also be generating internet traffic.

When you click Continue on the FortiFIED app, the MPLS network will be disabled to simulate a
failure and cause the SD-WAN rule to fail over to the other link.
Index: 2.0 (h)
Use Case: Configure SD-WAN via FortiManager
Objective Title: Verify the Failover
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Verify the Failover

Background
A failure in the MPLS line was simulated in order to see the SD-WAN automatically failover to
the HQVPN_1 interface, which in this scenario, was acting as the backup to the MPLS lines

Task
1. Return to the FGT-BR1 browser tab.
2. Click Network > SD-WAN Rules.

3. Confirm that the rules are now directing traffic to HQ via the HQVPN_1 tunnel.
Note: you may have to refresh the page

4. Click Dashboard > FortiView Sessions.

5. Right Click on any session, and select End All Sessions
6. Click OK.
7. Return to Carol’s Workstation tab.
8. Open Terminal and ping 172.16.100.135.
9. After a few pings, press Ctrl C and now ping 8.8.8.8.
10. Notice that the softphone is still connected.

11. Return to FGT-BR1 browser tab

12. Click Dashboard > FortiView Sessions.
13. Right-click one of the column headings.
Note: You may need to reset the column headings.
14. Now traffic to HQ is going through the HQVPN_1 tunnel.
15. Before moving on to the next section, close the browser and terminate the phone call.
Index: 3.0
Use Case: Conclusion
Objective Title: End of Session
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

You have successfully completed the

SD-WAN
Hands-On Lab

Thank You

To get more information on this or other Fortinet solutions, please consider

looking at Fortinet's NSE training.